Password security

I’ve been thinking about password security recently. Like many people I generally use one “strong” password for most of my access in cyberspace. The memorable strong password idea is definitely an improvement over the oldskool practice of changing a password every several weeks, which invariably led people to write down their passwords, making security as flimsy as the yellow post-its they were written on.

Hence the memorable strong password. To be considered strong, most recommend a generous mix of the various sets of keys available on the keyboard:

lowercase letters

uppercase letters

numbers

symbols (e.g. $, @, ., <, etc.)

There are many ways of making a memorable strong password… (the one that should be avoided is simply substituting numbers for vowels… there are hacker dictionaries out there that can automatically try p4ssw0rd as easily as password.) Say you have a strong password that’s memorable to you because it combines the year your parents got married, let’s say 1976, together with a phrase you like, such as “Let the good times roll!” It’s easy to turn those ingredients into a very strong, memorable password, such as, 76/L#gtr!19 in just a few steps:

1976 Let the good times roll!(the ingredients)

1976 Ltgtr! (the initials of the phrase with the punctuation intact.)

76/Ltgtr!19 (splitting the year and inserting another punctuation mark after the first numerical part)

76/L#gtr!19 (replacing the t for “the” with a symbol)

The latter result is an extremely strong password which should be very easy for the user to remember, so it never needs to be written down.

However, it only takes one shady cybercafe or one phishing site to steal your password, which might very well be the same password you use for your banking, email, and more. Is there a way to create many passwords that are just as strong, but customized for each site you use in such a way you can type it almost automatically?

I believe there is. What if you combined your strong password as a core, customized with an element of the site’s name? The sky is the limit on the possibilities, but if the same pattern is always used, each password should be instantly recallable.

Say you have passwords for Amazon, Gmail, and Paypal. You could take the first two letters of each and put them over the last two numbers of your password to keep it relatively short:

76/L#gtr!Am Amazon

76/L#gtr!Gm Gmail

76/L#gtr!Pa Paypal

The passwords are short, quickly typeable, easily memorable, and completely different. Or if you prefer, you could use the first and last letters, or the first two vowels, or some other consistent rule, and put them in a different place in the strong password structure. Just remember to keep it simple for you and impossible for anyone else. Here’s a variation using three letters of the site name with the second and third letters capitalized, placed in the middle of the strong core:

76/aMAL#gtr! Amazon

76/gMAL#gtr! Gmail

76/pAYL#gtr! Paypal

Again, the passwords are all strong, and all so easily memorable they should never need to be written down. But this technique’s true value lies in the uniqueness of the passwords. Should someone learn your Amazon password, he or she will still not be able to login to your Gmail or Paypal accounts.

A couple of closing thoughts. First,there are unfortunately still many sites, including financial sites that only allow alphanumeric passwords… no punctuation symbols can be used. For these sites, just keep the core password as strong as possible, using lowercase, uppercase, and numbers. Unfortunately, this means you may need two cores, one with symbols for the majority of sites that allow them, and an alphanumeric core for those that don’t. However, the alternate core can also be made very easy to remember. Here are two easy ways to do it:

Use a single letter as a substition for the symbols:

76/L#gtr!Am for Amazon

76zLzgtrzSi for SiteWhichDoesNotAllowSymbols.

An alternate solution is to just omit the symbols.

76/L#gtr!Am for Amazon

76LgtrSi for SiteWhichDoesNotAllowSymbols.

If you forget which sites allow symbols and which don’t, no problem. Simply try the version with symbols first, and if that doesn’t work, the version without.

Secondly, if you’re a traveler, make sure your password is possible to type quickly on any keyboard of any country you’re likely to be in. Some of the punctuation symbols on the US keyboard layout do not appear on the keyboards of other countries or require “dead keys” to produce which may not register as single characters for password purposes. For instance, our straight double quotation marks are not used in many countries. Symbols like |, [, and ^ also might not appear on international keyboards or could require additional keystrokes to type even if they do. It’s probably best to slightly limit the symbol set for your password to symbols universally used in math or on the Internet, such as # . , @ ! + – / etc. See Wikipedia’s article on keyboard layouts for more information.

This entry was posted
on Tuesday, May 6th, 2008 at 11:04 pm and is filed under Security.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.

What makes me skeptical about strong passwords is that you can use english dictionary words with minor alterations. Some default ones like krod44! (medium strength) become strong with kr0D44! which seems so simple to crack.

Further, most sites lcase or ucase passwords on read in to make database calls easier or usability easier. The trick comes where you sacrifice usability for security or vice-versa.

I’m not so skeptical, Joe… With that example, the base, krod44 is non-sensical to begin with, not found in any English dictionary or in any other language… Further strengthening it seems fine to me… Is kr0D44! simple to crack? Maybe for hackers who are natives of Krodaa.

Good information though, about the potential equivalence of uppercase and lowercase on some servers.